I would like an extra option in smb.conf for in the event that an LDAP backend is being used but you dont want that particular samba server to be a Domain Controller, just a file server. I hope diagram explains the scenario. http://www.dmarkey.com/~dmarkey/Diagram1.png I have achieved this in a round about way. on the file server i disabled nmbd and on our WINS server i put an entry in for the file server as an ordinary file server not a DC.
why not use security=domain, doesn't that do exactly what you want?
As far as i remember no it didnt, That requires a net join and the SID mapping would be done via winbind communicating to the domain controller? That causes problems because i need the uid/gid to be consistent, for that i'm using nssldap.
you need no winbind, you can keep using ldapsam as passdb backend which pulls the SIDs out of LDAP. If you have problems setting up that, you should better discuss that on the samba mailing list. I'm closing this bug as there is obviously no defect and no missing feature in samba here ;-)
I discussed this on the mailing list before raising the bug and nobody could give me a solution that worked.
So getting back to this. with this config: [global] workgroup = CS netbios name = WESTMEATH security = domain server string = Storage Server encrypt passwords = Yes ldap passwd sync = yes interfaces = eth1 147.x.x.x/16 bind interfaces only = yes password server = kerry log level = 3 syslog = 0 log file = /var/log/samba/log.%m mangling method = hash2 domain logons = yes domain master = No preferred master = no wins server = xxx.xxx.xxx.xxx xxx.xxx.xxx,xxx passdb backend = ldapsam:ldaps://147.xxx.xxx.xxx ldap admin dn = cn=admin,dc=cs,dc=dit,dc=ie ldap suffix = dc=cs,dc=dit,dc=ie ldap group suffix = ou=group ldap user suffix = ou=user ldap machine suffix = ou=machine load printers = no create mask = 0640 directory mask = 0750 nt acl support = yes printing = none ldapsam:trusted = yes guest account = nobody map to guest = Bad User dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd [tech] comment = Techshare path = /home/tech read only = No profile acls = yes store dos attributes = Yes create mask = 0600 directory mask = 0700 browseable = no guest ok = no printable = no valid users= @tech hide files = /desktop.ini/outlook*.lnk/*Briefcase*/ _____________________________________________________ According to what you said samba should not advertise itself as a domain controller, but it still does. I've tried every combination of settings i can think of but i still cannot get the outcome i want.
you tell em to by setting domain logons = yes ...
With domain controller = no. Westmeath:~# net user -I Westmeath Enter root's password: Could not connect to server 147.xx.xx.xx Connection failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO And it creates it only sambaDomain object in LDAP dn: sambaDomainName=WESTMEATH,dc=cs,dc=dit,dc=ie sambaDomainName: WESTMEATH sambaSID: S-1-5-21-911453016-1235691199-2814491779 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 1000 structuralObjectClass: sambaDomain entryUUID: 6d0db50e-930b-102d-80a7-4be67a57e353 creatorsName: cn=admin,dc=cs,dc=dit,dc=ie createTimestamp: 20090219195831Z sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 entryCSN: 20090219195831.387671Z#000000#001#000000 modifiersName: cn=admin,dc=cs,dc=dit,dc=ie modifyTimestamp: 20090219195831Z Which is completely wrong. it should be using sambaDomainName=CS,dc=cs,dc=dit,dc=ie
sorry that should be And it creates it _own_ sambaDomain object in LDAP
sorry, with domain logons = no I should really proof read my comments!